Lucene search

K
thn
The Hacker NewsTHN:87650195BF482879C3C258B474B11411
HistoryMay 05, 2022 - 2:38 a.m.

F5 Warns of a New Critical BIG-IP Remote Code Execution Vulnerability

2022-05-0502:38:00
The Hacker News
thehackernews.com
153

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

9.3 High

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:M/Au:N/C:C/I:C/A:C

BIG-IP Remote Code Execution Vulnerability

Cloud security and application delivery network (ADN) provider F5 on Wednesday released patches to contain 43 bugs spanning its products.

Of the 43 issues addressed, one is rated Critical, 17 are rated High, 24 are rated Medium, and one is rated low in severity.

Chief among the flaws is CVE-2022-1388, which carries a CVSS score of 9.8 out of a maximum of 10 and stems from a lack of authentication check, potentially allowing an attacker to take control of an affected system.

“This vulnerability may allow an unauthenticated attacker with network access to the BIG-IP system through the management port and/or self IP addresses to execute arbitrary system commands, create or delete files, or disable services,” F5 said in an advisory. “There is no data plane exposure; this is a control plane issue only.”

The security vulnerability, which the company said was discovered internally, affects BIG-IP products with the following versions -

  • 16.1.0 - 16.1.2
  • 15.1.0 - 15.1.5
  • 14.1.0 - 14.1.4
  • 13.1.0 - 13.1.4
  • 12.1.0 - 12.1.6
  • 11.6.1 - 11.6.5

Patches for the iControl REST authentication bypass flaw have been introduced in versions 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, and 13.1.5. Other F5 products such as BIG-IQ Centralized Management, F5OS-A, F5OS-C, and Traffix SDC are not vulnerable to CVE-2022-1388.

F5 has also offered temporary workarounds until the fixes can be applied -

  • Block iControl REST access through the self IP address
  • Block iControl REST access through the management interface
  • Modify the BIG-IP httpd configuration

Other notable bugs resolved as part of the update include those that could permit an authenticated attacker to bypass Appliance mode restrictions and execute arbitrary JavaScript code in the context of the currently logged-in user.

With F5 appliances widely deployed in enterprise networks, it’s imperative that organizations move quickly to apply the patches to prevent threat actors from exploiting the attack vector for initial access.

The security fixes come as the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added five new flaws to its Known Exploited Vulnerabilities Catalog based on evidence of active exploitation -

Found this article interesting? Follow THN on Facebook, Twitter and LinkedIn to read more exclusive content we post.

Be first who know about 0-days in popular software

Do not waste time on finding information in tons of articles. Subscribe yourself and your colleagues on news and articles about products you need and you use!

Subscribe on news

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

9.3 High

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:M/Au:N/C:C/I:C/A:C

Related for THN:87650195BF482879C3C258B474B11411